From add803be89c1538d4b98d3fc0e25930b96a78fb2 Mon Sep 17 00:00:00 2001 From: moneromooo-monero Date: Mon, 6 Oct 2014 10:27:34 +0100 Subject: [PATCH] core_rpc_server: fix overreads in slow_memmem It would read data outside the allocated space in a couple cases. --- src/rpc/core_rpc_server.cpp | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/src/rpc/core_rpc_server.cpp b/src/rpc/core_rpc_server.cpp index e80451cda..97795801c 100644 --- a/src/rpc/core_rpc_server.cpp +++ b/src/rpc/core_rpc_server.cpp @@ -398,17 +398,19 @@ namespace cryptonote return true; } //------------------------------------------------------------------------------------------------------------------------------ - uint64_t slow_memmem(void* start_buff, size_t buflen,void* pat,size_t patlen) + // equivalent of strstr, but with arbitrary bytes (ie, NULs) + // This does not differentiate between "not found" and "found at offset 0" + uint64_t slow_memmem(const void* start_buff, size_t buflen,const void* pat,size_t patlen) { - void* buf = start_buff; - void* end=(char*)buf+buflen-patlen; - while((buf=memchr(buf,((char*)pat)[0],buflen))) + const void* buf = start_buff; + const void* end=(const char*)buf+buflen; + if (patlen > buflen || patlen == 0) return 0; + while(buflen>0 && (buf=memchr(buf,((const char*)pat)[0],buflen-patlen+1))) { - if(buf>end) - return 0; if(memcmp(buf,pat,patlen)==0) - return (char*)buf - (char*)start_buff; - buf=(char*)buf+1; + return (const char*)buf - (const char*)start_buff; + buf=(const char*)buf+1; + buflen = (const char*)end - (const char*)buf; } return 0; }